07 Feb ‘EU-US Privacy Shield’ in, ‘Safe Harbour’ out
New pact hopes to ensure stronger data transfer protections for EU citizens
The European Commission (EC) and the United States have reached an agreement on a new EU-US Privacy Shield to protect the transfer of EU citizens’ data overseas.
The announcement comes almost four months after the European Court of Justice ruled the old Safe Harbour framework invalid.
On 2 December, commissioner Věra Jourová received a mandate to pursue the negotiations on a renewed and safe framework with the US.
In a statement released by the EC, the new arrangement will provide stronger obligations on companies in the US to protect the personal data of Europeans.
Stronger monitoring and enforcement by the US Department of Commerce (DoC) and Federal Trade Commission (FTC) will also be required, including through increased cooperation with European data protection authorities.
Generalised access by US public authorities to personal data transferred under the new arrangement will now be subject to clear conditions, limitations and oversight – only to the extent necessary and proportionate.
Europeans may raise any enquiry or complaint in this context with a dedicated new ombudsman.
An annual review will be conducted by the EC and the US DoC to monitor the functioning of the arrangement and discuss the issue of national security access.
Citizens who believe their data has been misused under the new arrangement can expect a reply to their complaints by companies within a set deadline.
European data protection authorities can also refer complaints to the Do C and the FTC. Alternative dispute resolution will be free of charge if required.
Vice-president of the commission, Andrus Ansip, commented: ‘Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic.
‘[The] decision helps us build a digital single market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US. We will work now to put it in place as soon as possible.’
Phil Lee, data protection partner at Fieldfisher, said the announcement would be ‘welcomed by many’ but warned of the challenges ahead.
‘Keeping in mind that this new Safe Harbour will almost certainly be challenged by civil liberties groups (and possibly even some data protection authorities) pretty much immediately, only the foolhardy would place want to place their trust in a new Safe Harbour right now. Whether legal or not, its reputation is already shot to pieces,’ Lee said.
Nicola Fulford, head of data protection and privacy at Kemp Little, said that while the new agreement was a positive step forwards, it was only the first step in a process towards fully implementing the EU-US Privacy Shield on both sides of the Atlantic.
‘It remains to be seen how widely the EU-US Privacy Shield will be adopted and how soon EU companies will sign up to it. Companies that have gone to the effort of putting model clauses in place with their US suppliers or entering into BCRs between group companies, might decide to continue to rely on these mechanisms instead of adopting the new privacy shield so soon afterwards,’ she said.
‘A question mark still hangs over the status of US companies that are currently Safe Harbor certified. The Commission’s announcement does not clarify whether they will automatically transition to the new privacy shield or whether they will have to register anew, and what that will involve.’
A draft ‘adequacy decision’ will be made by Ansip and fellow commissioner Jourová in the coming weeks which requires approval from the other ‘college’ commissioners before being adopted.
Meanwhile, the US is thought to be making the necessary preparations to put in place the new framework, monitoring mechanisms, and new ombudsman.